DOJ Releases New Guidance on Compliance Programs

On February 8, 2017, the Fraud Section of the Department of Justice (“DOJ”) quietly published pointed and specific guidance on how it assesses – and intends to assess – compliance programs in a report titled “Evaluation of Corporate Compliance Programs” (the “Report”).1 Much of the substantive guidance in the Report draws from pre-existing DOJ materials and is consistent with other well-known compliance guidance. The Report provides insight into the questions corporate counsel should expect from DOJ prosecutors during a criminal investigation and it highlights common indicators of a strong corporate culture of compliance.

Background
Since at least 1999, when the “Holder Memo” addressed principles of prosecution of business organizations, companies have looked to a variety of DOJ publications for clues on how compliance programs were evaluated and weighed in the context of corporate criminal investigations. The Report is an explicit continuation of DOJ materials that previously addressed compliance programs, including the United States Federal Sentencing Guidelines,2 the United States Attorney’s Manual3 and A Resource Guide to the U.S. Foreign Corrupt Practices Act (the “FCPA Guide”).4 Earlier materials, such as the Federal Sentencing Guidelines and U.S. Attorney’s Manual, have helped defense lawyers frame corporate cooperation with criminal investigations, but proved less effective guides to DOJ compliance program evaluations (as has been made clear many times over, an effective compliance program is not a complete defense for a corporation). Although the 2008 “Filip Factors” listed in the U.S. Attorney’s Manual instruct prosecutors to consider the effectiveness of a compliance program when conducting an investigation or negotiating a resolution, they lack the detail necessary to evaluate complex international compliance programs that rely on layers of internal corporate review and data analysis. More recent guidance, such as the FCPA Guide, provides insight into how the effectiveness of companies’ compliance programs would be assessed by the DOJ in the event of an investigation. That is, valuable after-the-fact measures that provide only a baseline for creating compliance policies and turning them into an effective compliance program.

The Report gives a further window into what DOJ prosecutors are looking for and in particular, what the DOJ internal compliance counsel is looking for, when analyzing a company’s compliance operation. Though its approach is consistent with prior DOJ guidance, the new release could mark a subtle departure from DOJ’s allowance that compliance programs are individually evaluated in light of a company’s specific needs and risk profile. Instead, the Report is a roadmap of questions that companies and their counsel should expect and be able to answer – an importantly, should be able to explain why inapplicable questions are not relevant to a company’s specific needs or risk profile. Two pronounced themes that are present throughout the Report are accountability from individuals and an expected corporate culture of compliance.

Focus on Individual Responsibility and Corporate Culture
The Report reflects the DOJ’s continued interest in individual responsibility, as recently articulated in the 2015 Yates Memo, which prioritized individual accountability in corporate investigations.5 The Report further evidences DOJ’s interest in pursuing individuals in cases of corporate wrong-doing. The Report identifies 11 broad topic areas,6 along with numerous sub-topics and questions that prosecutors may ask when evaluating a compliance program. Several of these topics, sub-topics, and specific questions focus on individual responsibility; some examples:

“How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question?”

“What specific actions have senior leaders. . .taken to demonstrate their commitment to compliance, including their remediation efforts?”

“Who reviewed the performance of the compliance function and what was the review process?”

The 11 broad topic areas in the Report also set forth a detailed framework of DOJ’s corporate culture expectations. For example, the Report includes questions regarding (1) the stature and power of the compliance program, (2) compliance officers’ access to the company’s board of directors, (3) the design and implementation of compliance policies and procedures, (4) how the company assesses and tests for risk, (5) whether employees are adequately trained to recognize and respond to misconduct (6) the company’s reporting and investigatory mechanisms and (7) whether the company takes appropriate disciplinary actions in the event of misconduct. While none of these questions is novel, it is undeniably essential that a responsible company official be able to provide satisfactory answers to them in the face of enforcement scrutiny.

Takeaways
Even though the Report contains guidance previously addressed through existing DOJ materials, it provides a sharper lens into how DOJ evaluates the effectiveness of corporate compliance programs. Only time will tell the extent to which DOJ treats the Report as a checklist (which it explicitly denies it does or will) when it subjects a compliance program to close scrutiny and even then, whether the DOJ’s approach will be publicly discernable in resolved cases.